Severity
CRITICAL
Vendor
CloudFoundry Foundation
Versions Affected
Routing Release < 0.299.0 (in combination with HAProxy Release > 10.6.0)
Description
When deploying Cloud Foundry together with the haproxy-boshrelease and using a non default configuration, it might be possible to craft HTTP requests that bypass mTLS authentication to Cloud Foundry applications.
You are affected if you have route-services enabled in routing-release and have configured the haproxy-boshrelease property “ha_proxy.forwarded_client_cert” to “forward_only_if_route_service”.
Mitigation
In case your setup – CF with HAProxy release, route-service enabled and mTLS authentication used – is affected by this vulnerability, it is strongly recommended to apply the following mitigation:
Upgrade routing_release version to 0.299.0 or greater
Set “router.route_services_strict_signature_validation” to “true”
The cf-deployment release v40.17.0 can be used to upgrade the routing release.
Credit
This issue was responsibly reported by Christian Schubert.
History
24.06.2024: Initial vulnerability report published.
